226 Chapter 5 User Account Control Figure 5-20 Disabling UAC compromises system security 8. Close all windows and reboot the computer. 9. Log on by using the parent_admin account. 10. Perform an administrator task, such as changing system time, or run an application. The parent_admin account is now running continuously with elevated privileges, and you no longer need to give permission to continue. 11. Switch user to parent_standard. 12. Attempt to perform an administrator task, such as changing system time, or run an appli- cation. As Figure 5-21 demonstrates, a user logged on with a standard account cannot perform administrator tasks and is not prompted for administrator credentials. Figure 5-21 A standard user can no longer supply administrator credentials Lesson 1: Configuring and Troubleshooting User Account Control 227 13. Switch user to parent_admin. 14. Restore the Run All Administrators In Admin Approval mode setting to Enabled. 15. Restore to their defaults any other UAC settings that you have changed. 16. Close all windows and reboot the computer. Optional Practice: Configuring Legacy Software to Run In Windows Vista In this practice session, you use the Windows Vista Program Compatibility Wizard to config- ure legacy software so that it runs in Windows Vista. You should carry out this practice only if you have legacy software—typically, a third-party program—that you want to run in Windows Vista. If you have no such requirement, you do not need to perform the practice. If in the future you need to run such software or if a user you are supporting has this requirement, then you can do the practice.  Practice 1: Running the Program Compatibility Wizard In this practice you use the Program Compatibility Wizard. The practice also demonstrates that you can often run a utility from the same Windows Vista Help and Support screen that you use to obtain information about it. 1. If necessary, log on using the parent_admin account. 2. Locate the software that you want to run. Typically, this will be on an installation CD- ROM or possibly in the Windows.old subdirectory. The software must not be an anti- virus program, a disk utility, or any other system program. 3. In Windows Vista Help And Support, search for “Compatibility Wizard.” 4. Click the Start The Program Compatibility Wizard link. 5. Click the Click To Open The Program Compatibility Wizard link. 6. The Welcome page appears. Click Next. 7. Select an option from the page shown in Figure 5-22. The option you select depends on the location of your legacy software. If in doubt, select I Want To Locate The Program Manually, click Next, and then click Browse. 228 Chapter 5 User Account Control Figure 5-22 Selecting a program location 8. Select the legacy program you want to run, as shown in Figure 5-23. Your legacy program will almost certainly be different from the one shown in the figure. Click Next. Figure 5-23 Selecting a program Lesson 1: Configuring and Troubleshooting User Account Control 229 9. Select the OS that is recommended for the program or that previously successfully sup- ported the program. Click Next. 10. Specify display settings, as shown in Figure 5-24. Click Next. Figure 5-24 Specifying display settings for legacy software 11. Many legacy programs (unfortunately) can run only in the context of an administrator account. If this is the case with your legacy program, select the Run This Program As An Administrator check box. Click Next. 12. If you are happy with your settings, click Next. 13. In the UAC dialog box, click Allow. 14. If you have configured the settings correctly, the legacy program should run. If it is an installation program, you can install the software. 15. You are prompted to inform Windows Vista whether the compatibility settings you con- figured were satisfactory, as shown in Figure 5-25. If so, select Yes, Set This Program To Always Use These Compatibility Settings. Click Next. 230 Chapter 5 User Account Control Figure 5-25 Setting the legacy program to use the specified settings 16. If you want to, send information about your program compatibility settings to Microsoft. Select either Yes or No, and then click Next. 17. Click Finish to close the wizard. Lesson Summary ■ You can use the Program Compatibility Wizard to run legacy programs in Windows Vista. Where such programs write to protected areas, Windows Vista sets up directories in the user profile to clone the protected areas. ■ By default, UAC ensures that an administrator account runs without elevated privileges except when such privileges are required to perform an administrator task. The user grants permission for this to happen. ■ A standard user is, by default, prompted to supply administrator credentials if he or she attempts to perform an administrator task. ■ The built-in Administrator account is disabled by default. When enabled, it does not, by default, use UAC and always runs with elevated privileges. ■ You can configure UAC settings to change the user experience of administrators, stan- dard users, and the built-in Administrator. ■ You can configure UAC settings to change how Windows Vista handles unsigned appli- cation files and UIAccess applications. ■ You can disable Secure Desktop. You can also disable UAC entirely, but this is not rec- ommended. Lesson 1: Configuring and Troubleshooting User Account Control 231 Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Configuring and Troubleshooting User Account Control.” The questions are also available on the companion CD if you prefer to review them in electronic form. NOTE Answers Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. Ian McLean is writing Chapter 5 of a book about Windows Vista. He wants to generate a figure that shows a UAC dialog box. He has not changed any UAC settings. He logs on with the administrator account he created when he installed Windows Vista and attempts to change the system time. When the UAC dialog box appears, he presses Print Screen, and then clicks Cancel to close the box. He opens Microsoft Paint and selects the Edit menu, but Paste is not available. What has he done wrong? A. He should not have clicked Cancel on the UAC dialog box. B. He should have disabled Secure Desktop. C. He should have logged on as a standard user. UAC does not apply to administrators. D. He should have logged on with another administrator account. UAC does not apply to the administrator account that he created when he installed Windows Vista. 2. What setting disables UAC? A. User Account Control: Run All Administrators In Admin Approval Mode is Disabled B. User Account Control: Run All Administrators In Admin Approval Mode is Enabled C. User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode is set to Elevate without prompting D. User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode is set to Prompt For Credentials 3. You want to ensure that legacy applications that attempt to write to protected parts of the registry or file system cannot run in Windows Vista. What UAC setting do you configure? A. User Account Control: Only Elevate Executables That Are Signed And Validated is Enabled B. User Account Control: Only Elevate Executables That Are Signed And Validated is Disabled C. User Account Control: Virtualize File And Registry Write Failures To Per-User Locations is Enabled D. User Account Control: Virtualize File And Registry Write Failures To Per-User Locations is Disabled 232 Chapter 5 User Account Control 4. You want to configure UAC settings. You open Local Security Policy from the Adminis- trative Tools menu and expand Security Settings. How do you access the UAC settings? A. Expand Local Policies, and select Security Options. B. Expand Local Policies, and select Audit Policy. C. Expand Local Policies, and select User Rights Assignment. D. Select Software Restriction Policies. 5. You have installed Windows Vista Ultimate on a computer that is part of a workgroup. Which of the following UAC settings are enabled by default? (Choose all that apply.) A. User Account Control: Admin Approval Mode For The Built-In Administrator Account B. User Account Control: Virtualize File And Registry Write Failures To Per-User Locations C. User Account Control: Only Elevate Executables That Are Signed And Validated D. User Account Control: Only Elevate UIAccess Applications That Are Installed In Secure Locations E. User Account Control: Run All Administrators In Admin Approval Mode F. User Account Control: Switch To The Secure Desktop When Prompting For Elevation 6. You are having difficulty running a legacy Windows 95 program in Windows Vista. You discover that the program will run only in the context of an administrator account. How do you run this program? A. You cannot run legacy programs that run only in the context of an administrator account. B. You need to enable the User Account Control: Virtualize File And Registry Write Failures To Per-User Locations setting. C. You need to run the Program Compatibility Wizard and select the Run This Pro- gram As An Administrator check box. D. You need to enable the User Account Control: Only Elevate Executables That Are Signed And Validated setting. Chapter 5 Review 233 Chapter Review To further practice and reinforce the skills you learned in this chapter, you can perform the fol- lowing tasks: ■ Review the chapter summary. ■ Review the list of key terms introduced in this chapter. ■ Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution. ■ Complete the suggested practices. ■ Take a practice test. Chapter Summary ■ UAC ensures that user accounts runs without elevated privileges unless the task the user wants to carry out requires such privileges. By default, administrators grant permission for this to happen while standard users need to supply the credentials of an administra- tor account. UAC does not apply to the built-in Administrator account by default. ■ Windows Vista permits legacy software that attempts to write to protected areas by vir- tualizing these areas in the user’s profile. You can use the Program Compatibility Wizard to run legacy programs that have compatibility issues. ■ UAC settings determine how Windows Vista handles unsigned application files and UIAccess applications and whether Secure Desktop is enabled when a UAC dialog box is generated. Key Terms Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book. ■ access token ■ account escalation ■ Admin Approval mode ■ administrator application ■ context ■ credentials ■ digitally signed ■ legacy programs ■ local Administrators group 234 Chapter 5 Review ■ privileges ■ Secure Desktop ■ User Account Control (UAC) Case Scenarios In the following case scenarios, you will apply what you have learned about configuring and troubleshooting UAC and running legacy applications. You can find answers to these ques- tions in the “Answers” section at the end of this book. Case Scenario 1: Giving Advice On User Account Control You are an IT professional for a company that provides equipment for home and small busi- ness users. Your company’s customer installations typically consist of between four and eight workstations configured as a workgroup. Your company has recently been supplying worksta- tions that run Windows Vista, and you have been asked to give advice about UAC. Answer the following questions: 1. Don Hall, the Chief Executive of Margie’s Travel, is not convinced about UAC. He wants to know why he, as an administrator, needs to click Continue every time he wants to per- form an administrator-level task. What do you tell him? 2. Don is unconvinced. As an administrator he wants to be able to perform all tasks with- out prompting. What setting can he change to accomplish this with the least impact on network security? 3. Don does not want any users logged on with standard accounts to be able to change con- figurations that affect any other user. As an IT professional, part of whose job specifica- tion is to advise on security, what do you tell him? If he insists on reconfiguring UAC, how best can he achieve his objectives with the least impact on network security? 4. Don wants to make the minimum number of changes to UAC configuration while assur- ing that he, as an administrator, is not prompted to give permission while performing administrative tasks while standard users are prohibited from initiating such tasks. How can Don reconfigure UAC to meet this goal, and what warning would you give? Case Scenario 2: Running Legacy Programs As an IT professional providing customer support, you need to advise customers about run- ning legacy programs. Answer the following questions: 1. Kim Ackers wants to prohibit any legacy program that attempts to write to protected reg- istry locations from running. What UAC setting should she configure? Chapter 5 Review 235 2. Don Hall cannot run a legacy program because it needs to run with a full administrator access token. How can he run the program? 3. You have a legacy virus protection program that you want to run in Windows Vista. You have read that the Windows Vista Program Compatibility Wizard can help configure leg- acy software so it can run. Should you use this wizard in this instance? If not, why not? Suggested Practices To help you successfully master the exam objectives presented in this chapter, complete the following tasks. Configure and Troubleshoot User Account Control ■ Practice: Investigate Additional UAC Settings The first practice session in this chapter asks you to reconfigure the UAC settings most commonly changed and investigate the results. Reconfigure the settings not specified in the practices and investigate the results. Configure Legacy Programs to Run in Windows Vista ■ Practice: Locate and Configure Legacy Programs Locate some legacy programs. If you or some friends and colleagues have old software installation CD-ROMs for Windows 95, Windows 98, or Windows ME, you can use setup programs on those disks. Configure the software so it runs in Windows Vista. Take a Practice Test The practice tests on this book’s companion CD offer many options. For example, you can test yourself on just one exam objective, or you can test yourself on all the 70-620 certification exam content. You can set up the test so that it closely simulates the experience of taking a cer- tification exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question. MORE INFO Practice tests For details about all the practice test options available, see the “How to Use the Practice Tests” sec- tion in this book’s Introduction. [...]... provides links that let you configure Windows Defender, Windows Firewall, Windows Update, and Internet settings as well as links to the Windows Help and Support files that describe these settings Figure 6-7 The Windows Security Center You can obtain information about Windows Defender activities by opening Windows Defender and clicking History The Windows Defender History window is shown in Figure 6-8... http://www.microsoft.com/downloads/details.aspx?FamilyId =47 DDCFA9- 645 D -44 95-9EDA-92CDE33E99A9&displaylang=en Practice: Configuring Windows Defender Scans In this practice session, you configure and carry out a Windows Defender custom scan You also configure a full system scan to occur at 1:00 A.M every day and specify the action that you want Windows Defender to take for each alert level These practices... Choosing Advanced Scanning Options When you configure Windows Defender to scan your computer, you can select advanced options You access these options by clicking Tools in Windows Defender, clicking Options, and scrolling to Advanced Options, as shown in Figure 6 -4 Figure 6 -4 Specifying advanced scanning options Lesson 1: Configuring Windows Defender 249 The following advanced options are available: ■... Configuring Windows Defender 239 ■ Lesson 2: Configuring Dynamic Security for Internet Explorer 7+ 266 237 238 Chapter 6 Configuring Internet Explorer Security Before You Begin To complete the lessons in this chapter, you must have done the following: ■ Installed Windows Vista Ultimate on a personal computer, as described in Chapter 1, “Installing Windows Vista. .. configure Windows Defender and determine when scans occur If, in addition, you select the Allow Everyone To Use Windows Defender check box, this allows all users, including standard users, to scan the computer, configure how Windows Defender deals with potentially harmful software, and review all Windows Defender activities 250 Chapter 6 Configuring Internet Explorer Security Scheduling Windows Defender... 1: Configuring Windows Defender 251 Working with Windows Defender Definitions Definitions are files that identify and describe potential software threats Windows Defender uses definitions to determine if software that it detects is spyware or other potentially unwanted software and then to alert you to potential risks To help keep your definitions up-to-date, Windows Defender works with Windows Update... computing experience If you do not want Windows Vista to install updates automatically, you can instead configure a notification that warns you when your computer requires updates, so you can download and install them yourself Alternatively, you can set Windows Vista to automatically download updates and then notify you so you can install them yourself To do this, you open Windows Update from the All Programs... of all! 2 54 Chapter 6 Configuring Internet Explorer Security You can quickly obtain information about whether Windows Defender is protecting a computer, whether automatic updating is configured, and other security information by clicking Security in Control Panel and opening the Windows Security Center, as shown in Figure 6-7 The Windows Security Center provides links that let you configure Windows Defender,... Live OneCare, and with the SpyNet community The SpyNet community was described earlier in this chapter Windows Live OneCare Windows Live OneCare is a subscription service, so you need to pay for it It integrates tightly with Windows Defender and extends the protection that Windows Defender provides Windows Live OneCare helps protect your computer and provides automated optimization features that should... you start Windows However, it is convenient, particularly in a computer that has multiple users, to be able to view all the software on a computer and obtain information about each application Exam Tip The Show For All Users feature in Software Explorer might not appear—for example, it can be disabled in the enterprise environment However, the 70- 620 exam tests your knowledge of Windows Vista Ultimate . done the following: ■ Installed Windows Vista Ultimate on a personal computer, as described in Chapter 1, “Installing Windows Vista Client, ” and Chapter 2, Windows Vista Upgrades and Migrations.” ■. Software to Run In Windows Vista In this practice session, you use the Windows Vista Program Compatibility Wizard to config- ure legacy software so that it runs in Windows Vista. You should carry. knowledge. Lesson 1: Configuring Windows Defender 243 MORE INFO Windows Defender real-time protection For more information, search Windows Help and Support for “Understanding Windows Defender real-time